- Auto-connect on startup (skip with -m/--menu flag)
- Add VPN watchdog for auto-reconnect
- Add live TOTP display
- Fix host-routing.sh pipefail issue with grep
- Better forwarding rules similar to rego-tunnel
- Add entrypoint.sh and startup-vnc.sh to shared folder
- Override command in docker-compose.json to use /shared/entrypoint.sh
- Scripts can now be modified without rebuilding image
- Removed shared/ folder (host routing scripts)
- Restored original config.json, docker-compose.json
- Restored original Dockerfile and entrypoint.sh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Removed build/ folder
- Restored source/ folder with original Dockerfile and entrypoint.sh
- Reverted config files to original working state
- Cleaned up shared/ to only contain host routing scripts
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- entrypoint.sh: Start VNC directly instead of systemd /sbin/init
- Changed NOVNC_PORT from 6080 to 6092 everywhere
- Dockerfile: Updated EXPOSE and default NOVNC_PORT
- Bumped tipi_version to 3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- host-routing.sh: Updated to use cistech values (172.30.0.10, br-vpn-static)
- config.json: Added TARGET_IP form field, bumped tipi_version to 2
- docker-compose.json: Added TARGET_IP environment variable
- docker-compose.yml: Synced with docker-compose.json (correct image, port 6080, all env vars)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The elif branch was missing 'echo "" |' which caused openconnect-sso
to hang waiting for stdin input when OC_PASSWORD is not set.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- entrypoint.sh: Auto-fetch pin-sha256 from VPN URL if not provided
- config.json: Remove OC_SERVERCERT (auto-fetched), add OC_PASSWORD
- docker-compose.json: Add OC_PASSWORD env var
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- docker-compose.json: Use git.alexzaw.dev/alexz/cistech-vpn:latest
- config.json: Add OC_TOTP_SECRET field, keep server cert as default
- Dockerfile: Remove hardcoded credentials (come from env at runtime)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add shared/host-routing.sh with nft for NAT masquerade
- Add shared/install-host-services.sh to set up systemd watcher
- Add shared/uninstall-host-services.sh for cleanup
- Add /runtime volume mount for trigger file
- Update entrypoint.sh to trigger host routing when VPN connects
Run install-host-services.sh on host after app install.
Requires image rebuild for entrypoint changes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add disown after vpnui & to suppress "killed" messages
- Ignore empty/whitespace input in menu loop
- Remove "Invalid choice" error (just ignore silently)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
After VPN reconnects, Cisco agent creates its chains asynchronously,
pushing our ACCEPT rules down where they're ineffective. Fix:
1. Wait up to 30s for ciscovpn chain to exist
2. Delete any existing rules (they may be in wrong position)
3. Insert fresh rules at position 1
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- host-routing.sh: Use nft instead of iptables for NAT masquerade
(iptables-nft backend doesn't support iptables -t nat commands)
- cisco-vpn: Use -I FORWARD 1 instead of -A FORWARD to insert rules
BEFORE Cisco VPN chains (which have catch-all DROP rules)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added start_watchdog() function that:
- Checks VPN every 60 seconds
- Sends keepalive ping every 5 minutes to prevent idle timeout
- Auto-reconnects up to 3 times if VPN drops
- Disabled screen blanking in xstartup and after VPN connects
- Removed useless monitor loop that only logged
- Rewrote description.md with current architecture
- Removed README.md (outdated Windows VM docs)
- Added install/uninstall instructions for host services
- install-host-services.sh: Creates watcher path/service units
- uninstall-host-services.sh: Removes units and cleans up
- Run once on host after app install
- Removed get_vm_bridge_ip() and get_container_gateway()
- Added get_container_ip() for eth0 (172.31.0.x network)
- Updated setup_forwarding() and show_network_status()
- No more ens3/VM references
- Hardcoded container IP (172.31.0.10) and bridge (br-rego-vpn)
- Simple start/stop/restart actions
- Removes stale routes before applying new ones
- Logs to /var/log/rego-routing.log
- Removed: redsocks, nft, VM subnet, container_apply
- Removed all sudo commands since container runs as root
- Added LOG_FILE at /var/log/cisco-vpn.log
- Modified log() to write to both console and file
- Added startup logging with env var status
